Performance, Risk & Compliance: different currencies or three sides of a coin?

3-sides of a coin

Talking to a lot of different parties in the world of audit, performance management and governance, I'm surprised about the isolated approach to these topics most are still taken. Specialist solutions for things like KPI-dashboards, Basel-III compliancy and  general ledger analyzers are being offered in abundance. For me the three elements can't be seen in isolation and thus investments in this area should focus on combined solutions.

First a step back: why are we talking at all about these topics? Well its all about trying to run a business and making a profit (or for non-profit businesses to achieve their goals without deficit. In doing so we are struggling to balance markets, products and people, whilst bound by legislation and surprised by unexpected events. On top of that we have the dimension of time to cope with. Some of our actions decision today will have a direct impact, some an indirect or delayed result. Some of our directives will be adopted, some will be adapted and others bypassed completely.

Ideally one would like to be informed about the actual status and outcome all these elements in real-time. Probably not practical and leading to so much information overflow that we stop all business, either because we have no time left to do this anymore or because we are getting too scared to do anything at all. But reality today puts us at the complete other end of the spectrum: too little, too late. Even the best run operations will know only a few days in the next month how they did the previous. And even then a lot of the information is not 100%: theoretical booked revenue, hopefully also recognized correctly, expectations about the (future) receivables, reserved costs levels. All leading to an estimated profit and cash flow. Some elements only become final after financial or tax audits, sometimes years later. More distressing, many underlying unwanted things influencing the business outcome (spillage, errors, ignorance and fraud) will not surface at all or a best so late that repairing is futile or even impossible. And last but not least, individual implemented solutions may be counter productive (think of individual KPI's and bonus scheme's or creative financial products to bypass tax legislation)

Well, managing uncertainty is a synonym for doing business so we should not cry about that too much. Over the years we invested a very big amount of money in getting better control over uncertainty. Either forced by government, pushed by shareholders or internally driven we implemented procedures, internal controls, reporting structures, audit cycles, early warning systems and what have you to put our minds at easy. Over time, performance, risk and compliance, maybe called differently at times, seem to have been alternative flavors "en mode". Without being scientific, I recall the 80's as performance focused, the 90's as risk focused, the early 00's as compliance focused and the late 00's focusing on risk again.

In my opinion looking forward we should take a more integral approach. Since getting our business objectives remains the prime driver, business performance optimization driven solutions should permanently analyze the impact of non-optimal real life process execution. Timeliness, compactness and relevance of the resulting information will give business managers the opportunity to quickly intervene, adapt and mitigate. With these instruments the manager will be able to focus on the prime business activities, whilst empowered to deal with unnecessary "leakage".  The common placeholder for the above is Continuous Monitoring.

Wikipedia: "Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment."

Having its origins in the audit world and fueled by the SOX compliance drive, continuous monitoring is the attempt to bring auditing in line with the demands of the global 7x24 economy. Under the cover of this name a lot of automation of isolated compliance and risk elements is sold. Sometimes effective in themselves like quicker audit processes or automated system controls but not bringing the value of an integrated approach. Performance is the less developed element, not weird given the origin in auditing, but seems to be catching up.

Performance and risk are equally imported flip-sides of a coin: they need to be balanced and one has no value without the other. Compliance is the obligatory text stamped on the rim. Or in other words: "In Compliance We Trust". A new generation of auditors and solution providers has adopted the integrated this new currency. Still a small number and far from being mainstream yet, these are the founders of an industry we will see established in the next years. So that in retrospect in 2020 we can say that the 10's were the years of Continuous Monitoring.

Want to know who are the leaders on continuous monitoring? Just sent me an email.

Back to top